LOG target for rate-limiting on iptables not working...?

LOG target for rate-limiting on iptables not working...?

[Jens Knoell]

I've rate-limited the incoming connections to some ports. The rate
limiting works, but it doesn't log to syslog... other non-rate-limiting
rules where LOG targets exist work, so I know logging in principle works.
What am I missing? No LOG target for this module? :)



Rule:

# POP3 (max 5 per minute)

$FW -I INPUT -p tcp --dport 110 -i eth0 -m state --state NEW -m recent
--set

$FW -I INPUT -p tcp --dport 110 -i eth0 -m state --state NEW -m recent
--update --seconds 60 --hitcount 5 -j LOG --log-level warn --log-prefix
"RLIMIT[POP3]: "

$FW -I INPUT -p tcp --dport 110 -i eth0 -m state --state NEW -m recent
--update --seconds 60 --hitcount 5 -j REJECT



Also, is there any advantage to use DROP instead of REJECT? Just
curious.



J

Re: LOG target for rate-limiting on iptables not working...?

[Stephen Samuel]

I usually just have a rule like logreject:

$FW -I INPUT -p tcp --dport 110 -i eth0 -m state --state NEW -m recent
--update --seconds 60 --hitcount 5 -j LogReject1

# RULE: Logreject:
$FW -N LogReject1
$FW -I LogReject1  -j LOG --log-level warn --log-prefix "RLIMIT[POP3]:

$FW -I LogReject1  -j REJECT




Jens Knoell wrote:

>I've rate-limited the incoming connections to some ports. The rate
>limiting works, but it doesn't log to syslog... other non-rate-limiting
>rules where LOG targets exist work, so I know logging in principle works.
>What am I missing? No LOG target for this module? :)
>
>
>
>Rule:
>
># POP3 (max 5 per minute)
>
>$FW -I INPUT -p tcp --dport 110 -i eth0 -m state --state NEW -m recent
>--set
>
>$FW -I INPUT -p tcp --dport 110 -i eth0 -m state --state NEW -m recent
>--update --seconds 60 --hitcount 5 -j LOG --log-level warn --log-prefix
>"RLIMIT[POP3]: "
>
>$FW -I INPUT -p tcp --dport 110 -i eth0 -m state --state NEW -m recent
>--update --seconds 60 --hitcount 5 -j REJECT
>
>
>Also, is there any advantage to use DROP instead of REJECT? Just
>curious.
>  
>

-- 
Stephen Samuel +1(604)450-0066             samnospam@bcgreen.com
		   http://www.bcgreen.com/
   Powerful committed communication. Transformation touching
     the jewel within each person and bringing it to light.

Re: LOG target for rate-limiting on iptables not working...?

[Stephen Samuel]

Reject will send either a Reset (RST) packet (TCP)
or an ICMP reject (UDP)

Drop will silently ignore the packet's existence.
The sender will get no response at all

If you have no listening ports, and everything that is not
associated with an outgoing connection is DROPped (as opposed
to rejected) it makes it rather hard for a random attacker
to realize that your

Generally I would say that errant packets from 'presumed friendly'
machines can probably be safely rejected.  Packets from 'presumed 
hostile' addresses should probably be silent dropped.


Jens Knoell wrote:

>I've rate-limited the incoming connections to some ports. The rate
>limiting works, but it doesn't log to syslog... other non-rate-limiting
>rules where LOG targets exist work, so I know logging in principle works.
>What am I missing? No LOG target for this module? :)
>
>Also, is there any advantage to use DROP instead of REJECT? Just
>curious.


-- 
Stephen Samuel +1(604)450-0066             samnospam@bcgreen.com
		   http://www.bcgreen.com/
   Powerful committed communication. Transformation touching
     the jewel within each person and bringing it to light.

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html